Yahoo Messenger Worm
There is a very bad worm attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the worm, to your friends list, without your knowledge.
This is a worm that spreads itself by sending links to your contacts in messengers like Yahoo. It disables Registry Editor and Task Manager. It changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address.
If your computer is infected with this virus " It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.
What are those links ?:
Nsl-school.org
mytermex.com
myglobal-news.com/?news_id=18388
or other (Do not open this url in your browser).
Here are simple steps following which you can get the worm removed from your system:
1) Download this http://arunmvishnu.googlepages.com/RepairRegistry.reg file (or you can do it manually)
2) Double click on that downloaded registry file, you will be asked wheather you're sure to add this to registry, click yes.
3) Restart your system.
4) Delete the file svhost32.exe from your Windows folder( If it is present).
5) Delete the file svhost.exe from your Windows folder( If it is present).
6) Lastly, search for: ENET.EXE and delete it if found.
Editing registry manually
------------------------------
1: Close the browser. Log out messenger.
2: Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to http://arunmvishnu.siteburg.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with http://arunmvishnu.siteburg.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get.
Start menu > Run > Regedit >
8: Restart the computer.
Thats All..
40 Comments:
Thanks for that... :)
By Anonymous, At 10/24/2006 10:26:00 PM
Thanks alot Arun .. You really saved my ass :) . I could avert the danger of fromatting my PC because of your solution .. Thanks a million .my mail id is av_balaji@yahoo.com
By Anonymous, At 10/25/2006 07:07:00 PM
WOW !
How Funny !
You are very smart. On the one hand you are giving medicine to remove the yahoo messenger virus and on the other hand you are giving registry values as download. Poor user who doesn't know anything about registry will fall prey to your trick. Once the downloaded registry file is double-clicked his browser home page will be your website...!
By Anonymous, At 10/27/2006 10:07:00 PM
heyyy...chng the home page is nt a big prob...i thnk evry user know dat.so dnt wry abt dat..i just gvn a home page...if u want2change ..chnge it..wat else
By Arun Vishnu M V, At 10/27/2006 10:14:00 PM
HI
- NOW ITS ENOUGH
DON'T BEFOOL PEOPLE..!
ELSE YOU WILL CATCH SPONDYLITIS SOON
By Anonymous, At 10/29/2006 11:10:00 PM
Worked thanks!
By Anonymous, At 10/31/2006 08:10:00 PM
Hi Arun,I tried all the things yesterday except deleting the svhost.exe, as it was not allowing me to delete that.So when i restarted my computer it again disabled my regedit, task mager , and made my home page as the one u mentioned .Also i checked that in Regedit , HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run i have one entry as SVCHOST.exe whose value is c:\windows\svhost.exe. Now i don't know whether i should delete this entry or not , as i read somewhere that thiis exe is used by windows to start the services. So can u suggest me something.
Thanks,
Deepti
By DD, At 11/02/2006 09:21:00 AM
Hi Arun,
My laptop to was affected by this virus. I tried the steps you suggested but the moment I clicked the file you asked to download, the administrator disabled this regedit process. I dint know what to do, so I restored my system to an earlier date. Though I am able to change the homepage, but am not sure whether it solved my problem completely.
By Anonymous, At 11/02/2006 07:55:00 PM
Hi DD
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.
But Svhost.exe/Svhost32.exe is Trojan/Backdoor.
I think you forget to kill those process.So before you try to delete those process first you kill those prcss(Press Ctrl + Alt + Del then Kill the process Svhost.exe/svhost32.exe. May be more than one process is running. So kill all those processssssssss). Delete the file svhost32.exe( If it is present), Delete the file svhost.exe( If it is present). K.
HEy anoy,,
you must have admin power to edit the registy.. sorry dude..but check your task manager and IE homepage. if your task manager is enabled and you if can change your IE Homepage....then hmm i think u r lucky.k
By Arun Vishnu M V, At 11/02/2006 08:48:00 PM
Hi Guys,
This is Puneet from Delhi, India. I am a software engineer.
Thats true. It really works. I faced the problem as i clicked that shit link.
I enabled all the utilities and find the source of the worm. While doing RnD on that i get to know this link and all the details given on this link is true. If u dont want to use his instruction u can also enable ur Task Manager, regedit, and run menu by Group Policy window that can be opened by running gpedit.msc command on command prompt.
U can also go for google for futher details
By Anonymous, At 11/02/2006 11:09:00 PM
Hi again,
My task manager seems to work. But not being all that knowledgeable in this techie stuff, i really do not understand what 'enabled task manager' means.
By Anonymous, At 11/02/2006 11:26:00 PM
Thank U very much, Arun. It took care of the YM virus & partially took care of some of the registry problems. Now, I am buying a registry repair from eBay 4 $2.00 & free S&H. Hopefully it will take care of some of the problems in the total registry. I am also getting me a new FireWall since the virus rendered my Windows Fire Wall totally beyond repair.
I have been @ this problem 4 an entire week now. I am surprised my computer did not completely crash since it disabled my Task Manager, Register, Key Board & Mouse (not all @ the same time).
Some guy got mad @ me since I refused 2 date him as he was already married. I complained about him 2 some of my friends & even the police since he kept harassing me.
1 of my friends e-mailed him 2 leave me alone & let him know the police is aware of some of his activities. That is when he said I am going 2 pay 4 my insolence, hacked in2 my computer & introduced all sorts of spyware, malware, hacker's tools, trojans, worms & viruses!!!
I called up tech support, chatted w/ them online, they were all useless!!! Called up PC Doctors, they were swamped, so I researched all of the free disinfections, scans, containments, & partial cures. @least, I have diminished from over 400 problems 2 just 232 last scan & count. I guess, U might say, what really slowed me down is I am no techno geek, so instructions were a bit difficult 4 me 2 follow since people skipped processes in their advice.
4 instance, when 1 said 2 go to Systems Restore, I did not know that U R supposed 2 go 2 start, programs, accessories, system tools, b4 U can finally arrive @ systems restore!!!
So, I kept searching 4 instructions that made sense 2 me. I also looked up several defenitions such as registry. W/ all of the technical babble, I finally understood that registry means the brains of the computer!!! Yikes!!! LOL... now I know & I can't believe that I have learned more w/in a week's time than I have ever done in several year's time!!! Does that mean I am becoming a techno geek as well??? ;o)
Anyhow, I am glad some1 like U is around 2 help fix some problems!!! Your Registry repair helped fixed my access 2 IE (Internet Explorer) which I only access 4 Yahoo Games & nothing more. I normally make use of Netscape Navigator 4 everything else. The Sonahat U Virus disabled and locked the schoolgirl website in place so that I cannot change it. Your brilliant solution took care of that as well.
I went back 2 many of my online chatters who knew I don't ever make use of expletives nor send explicit sexual materials online. Still, I apologized 2 them. I also explained 2 them that I have only half the solution since I have the ammunition (Anti-Virus, Anti-Spyware, Anti-Adware) 2 combat the attacks, but not the fortress or castle 2 house my computer (FireWall). I also explained that I am looking 4 the medicine (Registry Repair) 2 help heal & help my computer slowly recuperate so that it can work 2 @ least near efficiency if not completely.
4matting or killing the patient is not an option yet since it is the most radical 4m of solution there is!!! We shall C!!! Thank U 4 taking the time 2 help others like me who has no clue otherwise on what 2 do.
Most Sincerely Written,
Lady Hawke
By Anonymous, At 11/07/2006 12:52:00 AM
Hello anonymous,
2 enable task manager simply means pressing the buttons Ctrl + Alt + Delete so that U can delete a non functioning (or frozen open windows) such as when U closed a website, but is not responding @ all... or simply 2 delete a file , etc... if your entire computer refuses 2 do anything (freeze frame) then Ctrl + Alt + Delete can restart U'r computer safely.
When a virus disables your task manager by saying that task manager is disabled by the administrator, then enable it according 2 Arun's instructions. Once U have access 2 Ctrl + Alt + Delete, then press the processes tab & search 4 those viruses Arun spoke of. I know, cuz it was the easiest way 4 me 2 delete them via the windows task manager box that opened.
All I did was highlight each virus, then pressed the end process button @ the bottom. Simple as that & nothing more. Like U, I am no techno geek.
But I learned since it is my 1 & only computer, so since I am in the medical field, I made sure I programmed my brain 2 think like this is a medical problem, my Computer is my Patient, the FireWall is the safe fortress or Hospital, the Anti-Virus, Anti-SpyWare, Anti-Adware were all inoculations & the Repair Registry was the medication 2 help heal the sick Patient.
This kind of thinking helped me deal w/ how 2 proceed & understand as much as I can 2 help the patient recover instead of killing it (re4matting).
LOL... it is how I described it 2 my other chatters since computers R so darned complicated!!! But once they understood the simplification process, then all the explanations did not seem intimidating @ all!!! Hope I helped U understand all of this.
Lady Hawke
By Anonymous, At 11/07/2006 01:44:00 AM
Hey...Lady Hawke..thanks yar...really a big comment..hhehhee..anyway im happy 2know dat my post helped you ppl to remove that worm. but lots of such viruss,worms etc are trying to catch our system.so when you gt a link make sure dat it is not a virus/worm site..hmm we cant predict whether it contains those..but read the message carefully...from the lanuguage and style you can understand if the link is send by your friend or by worms.k..
By Arun Vishnu M V, At 11/07/2006 08:17:00 PM
Hi Arun,
I have this worm, and I can't go to Step 2, since running the downloaded file didn't enable the regedit. I can't make the regedit to work.
Any advise?
Jason
By Anonymous, At 11/08/2006 02:53:00 AM
Dear Arun,
My I receive this message whenever i go to any site in internet explorer
" A runtime error has occured. Do you wish to Debug?
Line: 1
Error: Invalid Character
similarly another ..
"A runtime error has occured. Do you wish to Debug?
Line: 875
Error: 'cqanswer'is undefined
please advise
regards
nayeemkhan
By Anonymous, At 11/19/2006 09:38:00 AM
Hi Arun,
Thanks Mate!!!
Hi Jason,
The second point under the heading "Editing registry manually"
Can help you to activate your REGEDIT.EXE
regards
Prabhu
By Anonymous, At 11/19/2006 11:29:00 PM
hi jason,i think the problem is because you clicked "No" buttton insted of of yes when yu asked wheather you're sure to add this to registry.click yes. this will solve your problem. ya..as prabhu told...u you can try the second method, editing manually.
Prabhu, thanks.
hi nayeemkhan, i think the problem is not with ur browser, but the website. anyway you try those sites in firefox or any other browser. if you are not using IE7, try to upgrade ur IE to IE7. k
By Arun Vishnu M V, At 11/20/2006 09:17:00 AM
Hi man
I m gettin problem. A virus affected my pc from my friend's message from msn. The ie homepage is set to http://thecoolpics.net and disable to change the ie homepage. And also my run option on start menu and Task Manager are disabled too. when I press ctrl+alt+delete the error message comes "Task Manager has been disabled by your administrator". hope to get the right solution
Sanjeev
touch2sanjiv@hotmail.com
By Anonymous, At 11/27/2006 09:37:00 AM
Please help... downloading the file and running it say "Registry Editing has been disabled by your administrator". What to do now???
By Anonymous, At 11/27/2006 09:22:00 PM
Hi Vishnu,
Thanks for the guidance. But I'm having another problem : my "Run" is missing. How to re-enable it? Is it in the registry?
Thanks,
ChQ
By Anonymous, At 11/28/2006 09:03:00 PM
Hey!
I hav kinda advanced problem than NSL one..
I cannot access Run, Task Manager, Internet Options, Folder Options, or RegEdit.
Nor I can add anything to the Registry.
The homepage is set to http:// quicknews.info.
wat can u suggest?
plz drop me a line at hitmohit@gmail.com if u dont mind!
By MOHiT, At 3/06/2007 10:41:00 PM
Hi Arun,
In Yahoo messenger i clicked a message with a link and it was a exe file, it is sending chat messages when ever i login to yahaoo messenger. I tried your guidelines on how to remove that trogen back door virus, but my task manager is opening but nothing is showing up under the process tab and applications tab regedit is only blinking not showing up. Please help
By ebb, At 3/21/2007 06:50:00 AM
It now says that Registry editing has been disabled by administrator.
I cannot run the link you provided. Also I cannot find Run on the start menu or in search. I cannot find Start - Settings! What should I do!
By Anonymous, At 4/12/2007 10:50:00 PM
Hey!
I hav kinda advanced problem than NSL one..
I cannot access Run, Task Manager, Internet Options, Folder Options, or RegEdit. and even cant run ur given file.
Nor I can add anything to the Registry.
The homepage is set to http:// quicknews.info.
wat can u suggest?
plz drop me a line at sallos22@yahoo.com if u dont mind!
By Anonymous, At 4/18/2007 03:59:00 PM
Hi Arun,
I am facing the same problem as Anony... can you please let us know the solution as nothing is working.. no run command, no cntrl+alt+del and not even your reg edit file.
Thanks
Parvinder Singh
By Parry, At 4/21/2007 01:57:00 PM
Hii Arun, i facing the same problem. The Run option in start menu is missing, also i cant access the registry edit or the task manager. Also i cant turn off the system restore option, My Home page has also been Hijacked to quicknews.info, Please help me out of this problem. Regards
Prashant
By Anonymous, At 4/25/2007 11:37:00 AM
Hi That virus also disables the Run and Registary also so how can I change those values without opens it. Thankyou
By Anonymous, At 5/04/2007 09:48:00 AM
Hi friends.. I got lots of comments and mails regarding virus problems. The main problem is disabled rededit and Windows Task manager. So here is a method to enable task manager and regedit. Please try this. And don't forgot to post your comments. Download and run these files.
1. Download this for enabling regedit->
http://arunmvishnu.googlepages.com/EnableReg.vbs
2. Download this for enabling Windows task Manager
http://arunmvishnu.googlepages.com/EnableTM.vbs
By Arun Vishnu M V, At 5/13/2007 10:49:00 PM
Good work.
to remove this worm from your system update your anti-virus and also download and install ad-aware SE. the homepage problem gets solved on the first scan itself. then just repair the system registery according to instructions posted above.
By Anonymous, At 5/20/2007 06:19:00 AM
pl Help!!!
i have a virus problem, which says that your taskmanager/Run has been disabled by system administrator also when i have login as Administrator account it has allowed...
Also with GPEDIT.msc there is no enabled items...
By Nishit, At 5/25/2007 10:06:00 AM
hi there - got similar problem. 24th july 2007 - got link from yahoo messenger user - in hurry i opened and extracted files. now i have 3 dial pop ups all the time showing C:\svchost.exe as dialing program. my task manager box opens but it will not show the Applications, Processess or Users. Plus i cannot use yahoo messenger with out sending the virus to everyone else. i have tried all your stuff here and links etc. it seems to be that - this is a copy cat or upgraded virus / trojan to what originally started in this forum for discussion. im about to wipe the whole laptop, but thought would give one last cry out for help please ? i have searched all day for a fix etc. the problem i am having is with out task manager being operative as such - i cant kill any of the dial up boxes. why do they do these viruses - its no fun. regards - chris
By Anonymous, At 7/25/2007 01:12:00 AM
hi there. i sorted it out today using a AVG antispyware software via www.grisoft.com. sorted the whole lot out - seems ok. try it out guys - im a novice and its helped me out of real sticky situation. plus ITS FREE !!! cheers. christian.
By Anonymous, At 7/26/2007 12:45:00 AM
Hi Arun,
I downloaded the registry stuff but when I tried to run ...a msg displayed that registry editing is disabled by administrator. RUN option and the folder options is also not showing up!! Unable to change Homepage too..!
Plz help me in this regard..
Mana
By Anonymous, At 8/12/2007 05:11:00 AM
Please help , admistrative access regedit.exe is eatten by virus , i cannot do anything please help
please contact me vibhuti_shri@hotmail.com
By Anonymous, At 8/13/2007 08:47:00 PM
Visit this post to know how you can enable task manager and REGEDIT http://arunmvishnu.blogspot.com/2007/05/enabling-regedit-and-task-manager.html
By Arun Vishnu M V, At 8/13/2007 09:03:00 PM
hei.. uhmm..i really nid help.. there is this virus.. it changes my status message, sends urls like..www.freewebtown.com with languages i dont understand like this.."ni thiao nang ho dien" to my friends in groups and i cant run my task manager, and my homepage is unitedreporters blahblah.. i download somethng on the internet so i can solve the problem and when i run it, it only changed the homepage, but still when i open my ym, it still sends those stupid messages to my friends. please i really nid help, this virus is 1month now. what virus is this? i installed firefx google toolbar.. i thought that this virus is a sohanad worm.. what is it and how can i solve it? heres my email ad too. kay_albar15@yahoo.com
By Anonymous, At 12/09/2007 02:59:00 PM
when i opened it, a command prompt appeard and said... repairregstry is not a valid win32 application.. what must i do? tnx..
By Anonymous, At 2/01/2008 06:17:00 PM
ARUN! please help! i've got this stupid worm virus in my ym, changing my status message in some unreadable vietnamese messages. i did what you said but it kept on coming back. can you please help? my mail ID is hopeful.insomniac@gmail.com
By Anonymous, At 3/14/2008 11:55:00 AM
Thanks for your help!
By Anonymous, At 5/05/2008 03:03:00 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home